Council on CyberSecurity Critical Security Controls for Effective Cyber Defense

Critical Security Controls

The Council's Technology practice area is built upon the Critical Security Controls (the Controls), a recommended set of actions for cyber defense that provide specific and actionable ways to thwart the most pervasive attacks. The Controls have been developed and maintained by an international, grass-roots consortium which includes a broad range of companies, government agencies, institutions, and individuals from every part of the ecosystem (threat responders and analysts, security technologists, vulnerability-finders, tool builders, solution providers, front-line defenders, users, consultants, policy-makers, executives, academia, auditors, etc.) who have banded together to create, adopt, and support the Controls.

Download Critical Security Controls v5.1

The Critical Security Controls

The Critical Controls for Effective Cyber Defense (the Controls) are a recommended set of actions for cyber defense that provide specific and actionable ways to stop today's most pervasive attacks. They were developed and are maintained by a consortium of hundreds of security experts from across the public and private sectors. An underlying theme of the Controls is support for large-scale, standards-based security automation for the management of cyber defenses.

Inventory of Authorized & Unauthorized Devices
Inventory of Authorized & Unauthorized Software
Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
Continuous Vulnerability Assessment & Remediation
Malware Defenses
Application Software Security
Wireless Access Control
Data Recovery Capability
Security Skills Assessment & Appropriate Training to Fill Gaps
Secure Configurations for Network Devices such as Firewalls, Routers, and Switches

Limitation and Control of Network Ports, Protocols and Services
Controlled Use of Administration Privileges
Boundary Defense
Maintenance, Monitoring & Analysis of Audit Logs
Controlled Access Based on the Need to Know
Account Monitoring & Control
Data Protection
Incident Response and Management
Secure Network Engineering
Penetration Tests and Red Team Exercises

The actions defined by the Controls are demonstrably a subset of the comprehensive catalog defined by NIST SP 800-53. The Controls do not attempt to replace the National Institute of Standards and Technology comprehensive Risk Management Framework. The Controls instead prioritize and focus on a smaller number of actionable controls with high-payoff, aiming for a "must do first" philosophy. Since the Controls were derived from the most common attack patterns and were vetted across a very broad community of government and industry, with very strong consensus on the resulting set of controls, they serve as the basis for immediate high-value action.

Process

The Controls are developed and maintained by a volunteer consortium of hundreds of security experts from across the public and private sectors. This community-based approach gives every enterprise access to recommendations by some of the best minds in the business.

The Community

Since the Controls are derived from the most common attack patterns and vetted across a very broad community of government and industry, with consensus on the resulting set of controls, they serve as a very strong basis for high-value action.

The Panel

The Critical Security Controls Panel consists of select volunteers willing to help ensure that the Controls represent the community's best insight into threat, vulnerability, and defensive technology, as well as ensure that they can be supported through cost-effective solutions. Panelists are chosen for their expertise and experience in one or more of the many dimensions of cybersecurity.

The Critical Security Controls

The Panel gathers and considers input from across the entire community of Controls users, partners, adopters, solutions providers, etc., to produce the next version of the Controls. Additionally, the Panel advises the Council about strategy and direction for the Controls.

History

2008

Over the years, many standards for cybersecurity have been developed in order to provide a framework for addressing the risks that can threaten networks and the data within them. Most of these efforts, however, have more or less been exercises in reporting on compliance, effectively diverting necessary program resources. It wasn't until 2008 that the National Security Agency (NSA) was asked by the Office of the Secretary of Defense (OSD) to help prioritize the many controls available, and began to take action with an "offense must inform defense" approach. While initially a project among government entities led by NSA, the effort expanded through a public-private consortium with the SANS Institute and the Center for Strategic and International Studies (CSIS). The consortium soon expanded to include government entities from the United States and abroad, law enforcement agencies, security service providers, national laboratories, academic institutions, and others.

In 2008, CSIS published the Controls for the first time, based in part the expertise gained through its convening of the Commission on Cybersecurity for the 44th Presidency. This initial draft of the Controls was shared with over 50 IT and security organizations for additional input in 2009. Since that time, the consortium has grown, and the Controls are refined through active involvement of members.

2009

One of the earliest adopters was the U.S. Department of State, who determined that among the 3,085 cyber attacks it had experienced over fiscal year 2009, the Controls showed remarkable alignment with actual attacks. Subsequently implemented by every system administrator across 24 time zones in which the Department operates, the Controls achieved an 88% reduction in vulnerability-based risks across 85,000 systems.

2011

In December of 2011, the Centre for the Protection of National Infrastructure (CPNI) announced that the government of the United Kingdom would be adopting the Critical Security Controls as the framework for securing their critical infrastructure. And in May of 2012, the NSA Director fully endorsed the adoption of the Controls as a foundation for effective network security.

Today

Today, the Controls are being used widely across the country and among international organizations. Studies conducted by the SANS Institute have found that 73% of surveyed organizations have adopted the Controls or plan to implement them, but only 10% expressed that they've done a complete job of adopting all of the controls that apply to them. This indicates both the opportunity and challenges of implementing effective cybersecurity measures.

The Council on CyberSecurity will continue the work of the consortium through stewardship of the Critical Security Controls. This includes the regular convening of experts to refine, update and validate the Controls, as well as collaboration with public and private partners globally to promote their adoption and implementation.

Significance & Impact

We are at a fascinating point in the evolution of what we now call cybersecurity. More so now than at any point in the last few decades, defenders have access to an extraordinary array of security tools and technology, security standards, training and classes, certifications, vulnerability databases, configuration guidance, best practices, catalogs of security controls, and countless security checklists, benchmarks, and recommendations. In terms of our understanding of the threat, we've seen the growth of numerous threat information feeds, reports, tools, alert services, standards, and threat sharing schemes. And to tie it all together, we are surrounded by security requirements, risk management frameworks, compliance regimes, regulatory mandates, and so forth.

There is a near-infinite list of "good things" for every enterprise to do and to know to improve the security of cyberspace, but not always clarity on what to prioritize. This overload of defensive support is like a "Fog of More"- more options, more tools, more knowledge, more advice, and more requirements... but not always more security.

Despite all of this well-intended information and technology and oversight, our problem seems to be getting worse faster than we are getting better. It is also clear that in our complex, interconnected world, no enterprise can think of its security as a standalone problem.

So how can we as a community - the community at large, as well as within sectors, partnerships, and coalitions - band together to establish priority of action, support each other, and keep our knowledge and technology current in the face of a rapidly evolving problem? What are the most critical problems we need to solve, what should an enterprise do first, which defensive steps have the greatest value? These are the kinds of problems that drive the Critical Security Controls.

A key element of the Controls is the community aspect of this movement - how people and institutions voluntarily help each other by:

Sharing insight into attacks by adversaries, summarizing the classes of attacks seen, finding root causes, and subsequently translating this information into classes of defensive;

Documenting Use Cases of adoption and the successful application of tools to solve these problems;

Mapping the Controls to existing regulatory and compliance frameworks to bring priority and focus to their application;

Sharing tools, working aids and translations with the community-at-large;

Identifying common problems and solving them as a community instead of individually.

The Critical Security Controls illustrate of the kind of large-scale, public-private, voluntary cooperation we need as a community if we are going to improve our individual and collective security in cyberspace. It is a sad and unspoken aspect of the state of cybersecurity that by many measures, the "bad guys" are better organized and collaborate more closely than the "good guys". The Controls provide a means to turn that around.